出于安全原因,我已将 openswan 从先前版本更新至 U2.6.32/K2.6.18-194.el5 (netkey)
从那一刻起,我一直遇到隧道不断掉线的情况,我检查了 /var/log/secure 日志,但未能发现问题......
此外,当我输入时,命令会出现一些奇怪的行为
service ipsec status
它长时间没有响应(大约 5 分钟),当它最终响应时,它说没有隧道
经过多次重启和几个小时的冷汗后开始工作正常...
以下是多次服务重启之间的时间间隔的日志……
包含“pluto”条目的 /var/log/secure/ 日志:
MYSERVER ipsec__plutorun: Starting Pluto subsystem...
MYSERVER pluto[8607]: nss directory plutomain: /etc/ipsec.d
MYSERVER pluto[8607]: NSS Initialized
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:8607
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: LEAK_DETECTIVE support [disabled]
MYSERVER pluto[8607]: OCF support for IKE [disabled]
MYSERVER pluto[8607]: SAref support [disabled]: Protocol not available
MYSERVER pluto[8607]: SAbind support [disabled]: Protocol not available
MYSERVER pluto[8607]: NSS support [enabled]
MYSERVER pluto[8607]: HAVE_STATSD notification support not compiled in
MYSERVER pluto[8607]: Setting NAT-Traversal port-4500 floating to off
MYSERVER pluto[8607]: port floating activation criteria nat_t=0/port_float=1
MYSERVER pluto[8607]: NAT-Traversal support [disabled]
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
MYSERVER pluto[8607]: starting up 7 cryptographic helpers
MYSERVER pluto[8607]: started helper (thread) pid=47968782256448 (fd:10)
MYSERVER pluto[8607]: started helper (thread) pid=47968792754496 (fd:12)
MYSERVER pluto[8607]: started helper (thread) pid=47968803252544 (fd:14)
MYSERVER pluto[8607]: started helper (thread) pid=47968813750592 (fd:16)
MYSERVER pluto[8607]: started helper (thread) pid=47968824240448 (fd:18)
MYSERVER pluto[8607]: started helper (thread) pid=47968834746688 (fd:20)
MYSERVER pluto[8607]: started helper (thread) pid=47968845244736 (fd:22)
MYSERVER pluto[8607]: Using Linux 2.6 IPsec interface code on 2.6.18-194.el5 (experimental code)
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_add(): ERROR: Algorithm already exists
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
MYSERVER pluto[8607]: ike_alg_add(): ERROR: Algorithm already exists
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
MYSERVER pluto[8607]: ike_alg_add(): ERROR: Algorithm already exists
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
MYSERVER pluto[8607]: ike_alg_add(): ERROR: Algorithm already exists
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
MYSERVER pluto[8607]: ike_alg_add(): ERROR: Algorithm already exists
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
MYSERVER pluto[8607]: Could not change to directory '/etc/ipsec.d/cacerts': /
MYSERVER pluto[8607]: Could not change to directory '/etc/ipsec.d/aacerts': /
MYSERVER pluto[8607]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
MYSERVER pluto[8607]: Could not change to directory '/etc/ipsec.d/crls'
MYSERVER pluto[8607]: | selinux support is NOT enabled.
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: added connection description "connVPNxxx"
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: added connection description "connVPNxxx"
MYSERVER pluto[8607]: "connVPNxxx": terminating SAs using this connection
MYSERVER pluto[8607]: "connVPNxxx": terminating SAs using this connection
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: added connection description "connVPNxxx"
MYSERVER pluto[8607]: listening for IKE messages
MYSERVER pluto[8607]: adding interface virbr0/virbr0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface eth1:0/eth1:0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface eth1/eth1 xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface eth0:1/eth0:1 xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface eth0:0/eth0:0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface eth0/eth0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface lo/lo xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface lo/lo ::1:500
MYSERVER pluto[8607]: loading secrets from "/etc/ipsec.secrets"
MYSERVER pluto[8607]: "/etc/ipsec.secrets" line 14: CKAIDNSS keyword not found where expected in RSA key
MYSERVER pluto[8607]: "connVPNxxx": terminating SAs using this connection
MYSERVER pluto[8607]: "connVPNxxx" #1: initiating Main Mode
MYSERVER pluto[8607]: "connVPNxxx" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:17630 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: "connVPNxxx" #2: initiating Main Mode
MYSERVER pluto[8607]: "connVPNxxx" #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_I1
MYSERVER pluto[8607]: "connVPNxxx" #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_I1
MYSERVER pluto[8607]: "connVPNxxx" #2: ignoring Vendor ID payload [FRAGMENTATION c0000000]
MYSERVER pluto[8607]: "connVPNxxx" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #1: STATE_MAIN_I2: sent MI2, expecting MR2
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:61954 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: "connVPNxxx" #1: discarding duplicate packet; already STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #2: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_I1
MYSERVER pluto[8607]: "connVPNxxx" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #2: STATE_MAIN_I2: sent MI2, expecting MR2
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:17630 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: "connVPNxxx" #1: ignoring informational payload, type INVALID_COOKIE msgid=00000000
MYSERVER pluto[8607]: "connVPNxxx" #1: received and ignored informational message
MYSERVER pluto[8607]: "connVPNxxx" #2: discarding duplicate packet; already STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #3: initiating Main Mode
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:17630 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:34682 to xx.xx.xx.xx:1025 proto=17 state: fos_start because: acquire
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:61954 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: "connVPNxxx" #1: ignoring informational payload, type INVALID_COOKIE msgid=00000000
MYSERVER pluto[8607]: "connVPNxxx" #1: received and ignored informational message
MYSERVER pluto[8607]: "connVPNxxx" #2: discarding duplicate packet; already STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #1: max number of retransmissions (2) reached STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #1: starting keying attempt 2 of an unlimited number, but releasing whack
MYSERVER pluto[8607]: "connVPNxxx" #4: initiating Main Mode to replace #1
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:17630 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:34682 to xx.xx.xx.xx:1025 proto=17 state: fos_start because: acquire
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:17630 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:61954 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:34682 to xx.xx.xx.xx:1025 proto=17 state: fos_start because: acquire
MYSERVER pluto[8607]: packet from xx.xx.xx.xx:500: ignoring informational payload, type INVALID_COOKIE on st==NULL (deleted?)
MYSERVER pluto[8607]: packet from xx.xx.xx.xx:500: received and ignored informational message
MYSERVER pluto[8607]: "connVPNxxx" #2: ignoring informational payload, type INVALID_COOKIE msgid=00000000
MYSERVER pluto[8607]: "connVPNxxx" #2: received and ignored informational message
MYSERVER pluto[8607]: "connVPNxxx" #2: max number of retransmissions (2) reached STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #2: starting keying attempt 2 of an unlimited number
MYSERVER pluto[8607]: "connVPNxxx" #5: initiating Main Mode to replace #2
MYSERVER pluto[8607]: packet from xx.xx.xx.xx:500: ignoring informational payload, type INVALID_COOKIE on st==NULL (deleted?)
MYSERVER pluto[8607]: packet from xx.xx.xx.xx:500: received and ignored informational message
MYSERVER pluto[8607]: shutting down
MYSERVER pluto[8607]: forgetting secrets
MYSERVER pluto[8607]: "connVPNxxx": deleting connection
MYSERVER pluto[8607]: "connVPNxxx" #3: deleting state (STATE_MAIN_I1)
MYSERVER pluto[8607]: "connVPNxxx": deleting connection
MYSERVER pluto[8607]: "connVPNxxx" #4: deleting state (STATE_MAIN_I1)
MYSERVER pluto[8607]: "connVPNxxx": deleting connection
MYSERVER pluto[8607]: "connVPNxxx" #5: deleting state (STATE_MAIN_I1)
MYSERVER pluto[8607]: shutting down interface lo/lo ::1:500
MYSERVER pluto[8607]: shutting down interface lo/lo xx.xx.xx.xx:500
MYSERVER pluto[8607]: shutting down interface eth0/eth0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: shutting down interface eth0:0/eth0:0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: shutting down interface eth0:1/eth0:1 xx.xx.xx.xx:500
MYSERVER pluto[8607]: shutting down interface eth1/eth1 xx.xx.xx.xx:500
MYSERVER pluto[8607]: shutting down interface eth1:0/eth1:0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: shutting down interface virbr0/virbr0 xx.xx.xx.xx:500
这ipsec.conf:
/etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
interfaces=%defaultroute
klipsdebug=none
nat_traversal=no
####### forwardcontrol=yes
oe=off
plutodebug=none
protostack=netkey
####### virtual_private=%v4:xx.xx.xx/8,%v4:xx.xx.xx/16,%v4:xx.xx.xx/12
conn connVPNxxx1
left=xx.xx.xx
leftid=xx.xx.xx
leftsubnet=xx.xx.xx/32
leftsourceip=xx.xx.xx
right=xx.xx.xx
rightid=xx.xx.xx
rightsubnet=xx.xx.xx/32
rightsourceip=xx.xx.xx
auto=start
authby=secret
ike=3des-sha1-modp1024
esp=3des-sha1
ikelifetime=28800s
keylife=3600s
keyexchange=ike
pfs=no
type=tunnel
conn connVPNxxx2
left=xx.xx.xx
leftid=xx.xx.xx
##20-11-2014 leftnexthop=%direct
leftsubnet=xx.xx.xx/32
leftsourceip=xx.xx.xx
right=xx.xx.xx
rightid=xx.xx.xx
##20-11-2014 rightnexthop=%direct
rightsubnet=xx.xx.xx/32
rightsourceip=xx.xx.xx
auto=start
authby=secret
ike=3des-sha1-modp1024
esp=3des-sha1
ikelifetime=28800s
keylife=3600s
keyexchange=ike
pfs=yes
type=tunnel
conn vpnxxx3
left=xx.xx.xx
leftid=xx.xx.xx
##20-11-2014 leftnexthop=%direct
leftsubnet=xx.xx.xx/32
leftsourceip=xx.xx.xx
right=xx.xx.xx
rightid=xx.xx.xx
##20-11-2014 rightnexthop=%direct
rightsubnet=xx.xx.xx/32
rightsourceip=xx.xx.xx
auto=start
authby=secret
ike=3des-sha1-modp1024
esp=3des
ikelifetime=28800s
keylife=3600s
keyexchange=ike
pfs=no
type=tunnel